Thursday, March 15, 2012

CPE: McAfee AudioParasitic: Episode 12 rootkit detective part 2

Discussion with Ahmed Sallam the developer who wrote rootkit detective

the latest thread is to infect firmware, this put me back 15 years ago when doing work at BIOS level.

System architecture is sooooooo complex and soooo layered - it is sufficient for a rootkit writer to find only one layer that he is interested in - and BOOOM- hide into that layer.

Rootkit is very challenging for the author to find new method

Rootkit is very challenging for the security researcher to repair

basically very easy to detect but very difficult to repair!!!

Rootkit Detective is not signature-based tool! -it does not say what type of rootkit exists.
It is lowerer stuff - that is indicative of rootkit exist and what can be done.

Compare to backlight, rootkit revealer, etc:
in term of detection most of us know how to detect, it is not that hard to detect!!!
Rootkit Detective has very solid technique - which much more stronger process detection1
Filesystem/registry/hive - some good sufficient techniques

We have newer more advanced methods/techniques BUT for today it is not necessary!

Using the vast database of rootkit samples in house, it is possible to test many methods and technique and decide what methods & technique that should be implemented to sufficiently detect current and future rootkit for the first release.

And more method can be implemented in the future release. No need to implement these other methods now in order to keep some of the weapon hidden for the future...

Scary trend: how rootkit can exploit GPU - scare me to death - it is possible that a rootkit hide in the GPU and infect the operating system.

Closing notes:
The most dangerous hole is at the system architectural level - not at implementation level or at application level.